Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: How to calculate threshold for enable_memory_t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I am looking for clarification on how Splunk calculates and enforces the search_process_memory_usage_threshold (enabled by enable_memory_tracker).
Specifically, I am trying to determine if the memory tracker monitors the memory footprint per search SID per individual indexer/peer, or if it tracks the aggregated memory used by that SID across the entire cluster.
Example Scenario: Suppose I have a single search (SID: 12345) running across three indexers with the following peak memory usage:
Indexer 1: 5GB
Indexer 2: 4GB
Indexer 3: 6GB
To keep this search from being terminated by the memory tracker, how should the threshold be calculated?
Option A (Per-Process): Set the threshold to ~7GB (covering the highest single consumer).
Option B (Cluster-Wide): Set the threshold to 15GB+ (the sum of all three indexers).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Utkc137 Splunk enforces search_process_memory_usage_threshold on a per-search process basis per node, not as an aggregated cluster-wide value. In your example, each indexer’s search process is evaluated independently, so you would set the threshold to cover the largest single consumer (~7 GB), not the sum across all peers. Option A is preferred in your case.
Refer:
Limit search process memory usage | Splunk Enterprise (last updated 2025-07-04T01:40:36.641Z)
>>
If this post addressed your question, you can:
- Give it karma to show appreciation 👍
- Mark it as the solution if it solved your issue ✔️
- Add a comment if you’d like more details ✏️
Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.
>>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Utkc137 Splunk enforces search_process_memory_usage_threshold on a per-search process basis per node, not as an aggregated cluster-wide value. In your example, each indexer’s search process is evaluated independently, so you would set the threshold to cover the largest single consumer (~7 GB), not the sum across all peers. Option A is preferred in your case.
Refer:
Limit search process memory usage | Splunk Enterprise (last updated 2025-07-04T01:40:36.641Z)
>>
If this post addressed your question, you can:
- Give it karma to show appreciation 👍
- Mark it as the solution if it solved your issue ✔️
- Add a comment if you’d like more details ✏️
Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.
>>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Utkc137 I believe search_process_memory_usage_threshold enforces memory per individual search process on each node - so for your 3-indexer scenario, try to set the threshold to cover only the highest single consumer (~7000 MB for Indexer 3 at 6GB peak), not the 15GB+ cluster-wide sum, and build in buffer below your hard stop since termination is not exact.
Together we make the Splunk Community stronger
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
